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Abstract. Code-based cryptography is an interesting alternative to clas- 
sic number-theory PKC since it is conjectured to be secure against quan- 
tum computer attacks. Many families of codes have been proposed for 
these cryptosystems, one of the main requirements is having high per- 
formance i-bounded decoding algorithms which in the case of having 
high an error-correcting pair is achieved. In this article the class of codes 
with a i-ECP is proposed for the McEliece cryptosystem. The hardness 
of retrieving the t-ECP for a given code is considered. As a first step 
distinguishers of several subclasses are given. 



Keywords: Code-based Cryptography, Error-Correcting Pairs. 
MSC(2010): 11T71, 94A60, 94B05. 

1 Introduction 

The notion of Public Key Cryptography (PKC) was first introduced in 1976 [TU] 
by Diffie and Helman, though Mcrklc had previously developed some of the key 
concepts [32] . The main advantage with respect to symmetric-key cryptography 
is that it does not require an initial exchange of secrets between sender and re- 
ceiver. In the survey paper [53] it is stated that 

"At the heart of any public-key cryptosystem is a one-way function - a func- 
tion y = fix) that is easy to evaluate but for which is computationally infeasible 
(one hopes) to find the inverse x — f~ 1 iy)"- 



The most famous trapdoor one-way functions are: 

— Integer factorization where x — (p, q) is a pair of prime numbers and 
y = pq is its product. The best-known example of PKC is the Rivest-Shamir- 
Adlcman (RSA) cryptosystem whose security is based on the hardness of 
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distinguishing prime numbers from composite number, i.e. the intractability 
of inverting this one-way function. 

— Discrete logarithm for which a group G (written multiplicatively) and an 
element a £ G are required, then x is an integer and y — a x . The security of 
the ElGamal cryptosystem or the Diffie-Hellman key exchange depends on 
the difficulty of finding discrete logarithms modulo a large prime. 

— Elliptic curve discrete logarithm which it is actually a particular case of 
the previous function when G is taken as an elliptic curve group. Then x = P 
is a point on the curve and y — kP is another point on the curve obtained by 
the multiplication of P with a scalar k. Elliptic Curve Cryptography (ECC) 
proposed independently by Koblitz (32] and Miller [33J in 1985 is based on 
the difficulty of this function in the group of points on an elliptic curve over 
a finite field. 

However with the discovery of Shor's algorithm [46] anyone with a quan- 
tum computer can break in polynomial time all cryptosystems whose security 
depends on the difficulty of the previous problem. Post-quantum cryptography 
gave birth to the next generation of cryptography algorithms, which are designed 
to run on conventional computers but no attacks by classical or quantum com- 
puters are known against them. See [5] for an overview of the state of the art 
in this area. Code-based cryptosystems such as McEliece [3T] and Niederreiter 
[35] cryptosystems are interesting candidates for post-quantum cryptography. 
See the surveys [7I13I37I44I45] . 

The security of code-based cryptosystems is connected to the hardness of 
the general decoding problem which was shown by Berlekamp-McEliece-Van 
Tilborg |2I4[ to be NP-hard, even if preprocessing is allowed [8J. However it is 
not known whether this problem is almost always or in the average difficult. The 
problem of minimum distance decoding with input (G, y) where G is a generator 
matrix of a code C over ¥ q of parameters [n, k, d] addresses to determine a 
codeword c G C of minimal distance to y. The bounded distance decoding problem 
depends on a function t(n,k,d). The input is again (G,y) but the output is a 
codeword c € C (if any) verifying that d(y, C) < t(n, k, d), where d(-, •) denotes 
the hamming distance between two vectors on F™. Moreover decoding up to 
half the minimum distance is a bounded distance decoding problem such that 
t(n, k, d) < [(d - 1) /2J for all n, k and d. 

All known minimum distance decoding algorithm for general codes have ex- 
ponential complexity in the length of the code. However there are several classes 
of codes such as the Reed-Solomon, BCH, Goppa or algebraic geometry codes 
which have polynomial decoding algorithms that correct up to a certain bound 
which is at most half the minimum distance. 

The problems posed above have two parts [19] . Firstly the preprocessing part 
done at a laboratory or a factory where for an appropriate code C a decoder Ac 
is built which is allowed to be time consuming. Secondly the actual operating of 
the many copies of the decoder for consumers which should work very fast. So we 
can consider the problem of minimum distance decoding with preprocessing. From 
the error-correction point of view it seems pointless to decode a bad code, but 



for breaking the McEliece cryptosystem one must be able to decode efficiently 
all, or almost all, codes. 

In 1978 [21] McEliece presents the first PKC based on the theory of error- 
correcting codes. Its main advantages are its fast encryption and decryption 
schemes. However the large key size of its public key makes it very difficult 
to use in many practical situations. In this cryptosystem the public key space 
K, is the collection of all generator matrices of a chosen class of codes that 
have an efficient decoding algorithm that corrects all patterns of t errors, the 
plaintext space is V = Fjj x W n ,q,t> where W n> q t t is the collection of all e 6 F™ 
of weight t, and the ciphertext space is C = F™. The sample space is given by 
fi = V x /C. The encryption map Eq : V —> C for a given key G £ K, is defined by 
Eq{u\, e) = rxiG + e. An adversary A is a map from C x /C to V . This adversary 
is successful for (x, G) £ fl if A(Eq(x), G) = x. 

Let C be a class of codes such that every code C in C has an efficient decoding 
algorithm correcting all patterns of t errors. Let G £ F^ x ™ be a generator matrix 
of C. In order to mask the origin of G, take a k x k invertible matrix S over ¥ q 
and an n x n permutation or monomial matrix P. Then for the McEliece PKC 
the matrices G, S and P are kept secret while G' = SGP is public. Furthermore 
the (trapdoor) one-way function of this cryptosystem is usually presented as 
follows: 

x = (m, e) H» y = mG" + e, 

where m £ F£ is the plaintext and e £ F™ is a random error vector with hamming 
weight at most t. 

McEliece proposed to use the family of Goppa codes. The problem of bounded 
distance decoding for the class of codes that have the same parameters as the 
Goppa codes is difficult in the worst-case [15]. However, it is still an open problem 
whether decoding up to half the minimum distance is NP-hard which is the 
security basis of the McEliece cryptosystem. Algebraic geometry codes were also 
proposed for the McEliece PKC in [20 34]. The security of this PKC is based on 
two assumptions [712 lj : 

A.l In the average it is difficult to decode t errors for all codes that have the 

same parameters as the codes used as key, 
A. 2 It is difficult to distinguish arbitrary codes from those coming from /C. 

Concerning the first assumption it might be that the class of codes is too 
small or too rigid. For instance Sidelnikov-Shestakov |50) gave an adversary 
that is always successful if one take for public key space the generator matrices 
of generalized Reed-Solomon (GRS) codes. Concerning the second assumption 
recent progress is made by Faugere et al. |14[36j where they showed that one 
could distinguish between high rate Goppa, alternant and random codes. 

In 1986 35] Niederreiter presented a dual version of McEliece cryptosys- 
tem which is equivalent in terms of security [5^. Niederreiter's system differs 
from McEliece's system in the public-key structure (it use a parity check matrix 
instead of a generator matrix of the code), in the encryption mechanism (we 



compute the syndrome of a message by the public key) and in the decryption 
message. In its original paper Niederreiter proposed the class of GRS codes. 

Let H G Fg™ k ^ xn be a parity check matrix of a code C in C. H is masked 
by H' = SHP, where S is an invertible matrix over F 9 of size n — k and P is 
an n x n permutation or monomial matrix. The (trapdoor) one-way function in 
case of the Niederreiter PKC is presented by 

x = e h4 y = eH lT , 

where e G F™ has weight t. 

In a syndrome based (SB) hash function [1117116] annxr parity check matrix 
H is chosen at random, then SB hash system is given by a procedure that encodes 
s bits of information into a word e of length n and weight t. The one-way function 
in this case (which has no trapdoor) is given by 

x = e h-> y = eH T . 

It was shown in [12I40I41] that the known efficient bounded distance decoding 
algorithms of Reed-Solomon, BCH, Goppa and algebraic geometry codes can be 
described by a basic algorithm using an error correcting pair. That means that 
the proposed McEliece cryptosystem are not based on the inherent tractability 
of bounded distance decoding but on the one-way function 

x = (A, B) ^ y = A * B, 

where (A, B) is a ^-error-correcting pair. 

Consider C t , the class of linear codes over V q that have a i-error correcting 
pair over an extension of W q . It was shown by Pellikaan [3^ that codes of this 
family have an efficient decoding algorithm that corrects up to t errors. This 
makes them appropriate for code-based cryptography. Note that most families 
of codes used in such cryptosystems belong to Ct such as the generalized Reed- 
Solomon codes, the Goppa codes, the alternant codes and the algebraic-geometry 
codes. 

For further details on the notion of error-correcting pair see Section [5] where 
we formally review this definition and we give a brief survey on the properties 
that are relevant to this work. 

The aim of this paper is to study the subclass of Ct formed by those linear 
codes C whose error correcting pair is not easily reconstructed from C . Section 
[3] deals with the security status of this scheme, detailing the state-of-art and the 
existence of error-correcting pairs for families of codes most commonly used in 
code-based cryptography. 

Finally, in Section [H following the work of Faugere et al. [2] , we present 
distinguishers for several families of codes. Recall that the hardness of the dis- 
tinguishing problem was part of the basis of the security of code-based cryp- 
tosystems. 



2 Error-correcting pairs 



From now on the dimension of a linear code C will be denoted by fc(C) and its 
minimum distance by d(C). Given two elements a and b on F™, the star multipli- 
cation is defined by coordinatewise multiplication, that is a*b = (ai&i, . . . , a n b n ) 
while the standard inner multiplication is defined by ab = X)"=i a i°i- I n general, 
for two subsets A and B of F™ the set A*B is given by {a*b | a G A and b 6 B}. 
Furthermore A _L B if and only if a • b = for all a £ A and b £ B. 

Definition 1. Let C be a linear code in F™. The pair (A,B) o/F^ m is called a 
t-error correcting pair (ECP) for C if the following properties hold: 

E.l (A*B) 1C, 
E.2 K{A) > t, 
E.3 d(B^) > t, 
E.4 d(A) + d{C) > n. 

The notion of an error-correcting pair for a linear code was introduced inde- 
pendently by Pellikaan in [35] and Kotter in [53] . In [35J it is shown that a linear 
code in F™ with a t-error correcting pair has a decoding algorithm which cor- 
rects up to t errors with complexity 0(n 3 ). Furthermore the minimum distance 
of such linear code is at least 2t + 1. 

The existence of ECP for generalized Reed-Solomon and Algebraic codes was 
shown in [38] and for many cyclic codes Duursma and Kotter in [12] have found 
ECP which correct beyond the designed BCH capacity. 

Note that if E.4 is replaced by the following statements 

E.5 d(A ) > 1 i.e. A is a non- degenerated code, 
E.6 d(A) + 2t> n. 

then d(C) > 2t + 1 and (A, B) is a t-ECP for C. 

3 Error-correcting pairs for public key cryptosystems 

Let Vt be the collection of pairs (A, B) such that A, B are linear codes over some 
extension of W q , A is non-degenerated and (A,B) is a t-error correcting pair for 
some linear code C in F^ . We consider the following one way function 

<p: V t — > 

x = (A,B)\ — >y = A*B 

Let U and V be two generator matrices with rows denoted by and Vj, 
respectively, U*V be the matrix form by the rows Uj*Vj ordered lexicographically 
and red(J7 * V) be the matrix obtained from U * V by deleting dependent rows. 
Then the implementation of tp may be given by 



([/, V) i — > y = rcd([/ * V) 



Firstly we note that uP * vP = (u * v)P for every permutation or monomial 
matrix P. Thus, if (A, B) is a t-ECP for C, then (AP, BP) is a t-ECP for P^C. 
Furthermore, let Si and S 2 be invertible matrices of the correct sizes to be 
multiplied by the matrices U and V, respectively, then U * V generates the same 
code as (S 1 U)*(S 2 V) since (SiU)*v = Si(U*v) and u*(S 2 V) = S 2 (u*V) for 
all vectors u and v. Therefore the masking H' — SHP by means of an invertible 
matrix S and a permutation matrix P is already incorporated in the choice of 
the pair of generator matrices (U, V). 

Let C be the code with the elements of A * B as parity checks. If the one- 
way function tp is indeed difficult to invert, then the code C with parity check 
matrix H — red({7 * V) might be used as a public-key in a coding based PKC. 
Otherwise it would mean that the PKC based on codes that can be decoded by 
error-correcting pairs is not secure. In the following we consider seven collections 
of pairs. 

Example 1. The class of GRS codes was proposed for code-based PKC by Nieder- 
reiter [33] . However this proposal is completely broken by the Sidelnikov-Shestakov 
attack given in [30] ■ 

Let a be an n-tuple of mutually distinct elements of ¥ q and be an n-tuple of 
nonzero elements of ¥ q . Then the generalized Reed-Solomon code GRSfc(a, b) is 
defined by 



GRS fe (a, b) = {(/(ai)6i, . . . , f(a n )b n ) \ f(X) e ¥ q [X] and deg(/(X)) < k} . 



That is, if we define by induction a 1 = a and a 4+1 = a * a*, then GRS/^a, b) is 
generated by the elements h * a 1 with i = 0, . . . , k — 1, i.e. if k < n < q, then 
GRSfc(a, b) is an [n, k, n — k + 1] code. Furthermore the dual of a GRS code is 



again a GRS code, in particular GRSfc(a, h) 1 - = GRS„-fc(a, b') for some b' that 
is explicitly known. 

Let A = GRS f+ i(a,u), B = GRS t (a,v) and C = GRS 2 t(a, u* v)- 1 . Then (A, B) 
is a t-ECP for C. Conversely let C = GRS fc (a,b), then A = GRS m (a,b') and 
B = GRS t (a, 1) is a t-ECP for C where t = [^\ and b' e F£ is a nonzero 
vector verifying that GRSfc(a, h) 1 - — GRS„_fc(a, b'). 

So GRS codes are the prime examples of codes that have a t-error-correcting 
pair. Moreover if C is an [n, n ~ 2t, 2t + 1] code which has a i-error-correcting 
pair, then C is a generalized Reed-Solomon. This is trivial if t = 1, proved for 
t = 2 in |41l Theorem 6.5] and for arbitrary t in |30j . 

Example 2. Error-correcting pairs for cyclic codes were found by Duursma and 
Kotter [ll|12l25j . Cyclic codes are not considered for applications in code-based 



Example 3. The class of subcodes of GRS codes was proposed by Berger-Loidreau 
[3] for code-based PKC to resist precisely the Sidelnikov-Shestakov attack. But 
for certain parameter choices this proposal is also not secure as shown by Wi- 
eschebrink [51152] and Marquez et al. [2"5] . 

Let C be a subcode of the code GRS„_2t(a, b). This GRS code has a t-error- 
correcting pair by Example [T] which is also a t-ECP for C. 



PKC. 



Example 4- Goppa codes were proposed for McEliccc PKC by its author [3"T] . 
Sidelnikov-Shestakov made a claim [50 that their method for GRS codes could 
be extended to attack Goppa codes as well, but this was never substantiated by a 
paper in the public domain. In its original paper McEliece recommend the class 
of binary Goppa codes with parameters [1024, 524, 101], but this proposal is no 
longer secure with nowadays computing power as shown in Peters et al. [6142 43 
by improving decoding algorithms for general codes. The attack of Wieschebrink 
[52"] is not yet efficient enough to be applicable to these codes. 
A Goppa code associated to a Goppa polynomial of degree r can be viewed as 
an alternant code, that is a subfield subcode of GRS code of codimension r and 
therefore they have also a \r/2\ -error-correcting pair. In the binary case with 
an associated square free polynomial the Goppa code has an r-ECP. 

Example 5. Algebraic geometry (AG) codes were introduced in 1977 by V.D. 
Goppa and were proposed by Janwa-Moreno [2U] for the McEliece PKC. Recall 
that GRS codes can be seen as the class of AG codes on the projective line, i.e. 
the algebraic curve of genus zero. We refer the interested reader to [18148149] . 
Let X be an algebraic curve defined over ¥ q with genus g. By an algebraic curve 
we mean a curve that is absolutely irreducible, nonsingular and projective. Let V 
be an n-tuple of F 9 -rational points on X and let E be a divisor of X with disjoint 
support from V of degree m. Then the algebraic geometry code Cl(X,V,E) is 
the image of the Riemann-Roch space L{E) of rational functions with prescribed 
behavior of zeros and poles at E under the evaluation map ev^. If m < n, then 
the dimension of the code C'l(X ,V, E) is at least m + 1 — g and its minimum 
distance is at least n — m. If m > 2g — 2, then its dimension is m + 1 — g. The 
dual code Cl(X, V, E) 1 - is again AG. If m > 2g — 2, then the dimension of the 
code Cl (X, V, E)- 1 is at least n — rn — l+g and its minimum distance is at least 
d* = m — 2g + 2. If m < n, then its dimension is n — m — 1 + g. 
If A = C L (X,P,E) and B = C L {X,P,F), then (A* B) C C L {X, V, E + F). So 
there are abundant ways to construct error-correcting pairs of an AG code. An 
AG code on a curve of genus g with designed minimum distance d* has a t-ECP 
over F q with t = [(d* - 1 - g)/2\ by [Si Theorem 1] and gDJ Theorem 3.3]. If 
e is sufficiently large, then there exists a i-ECP over F gC with t = [(d* — 1)/2J 
by 01] Proposition 4.2]. 

It was shown by Marquez et al. [28127] that these codes are not secure for rates 
R in the intervals [7, | — 7], [| +7, 1 — 7], [\ — 7, 1 - 37] and [37, \ + 7], where 
R = k/n is the information rate and 7 — g/n the relative genus. 
Geometric Goppa codes, which are subfield subcodes of Algebraic geometry 
codes [47] generalizing the classical Goppa codes that are subfield subcodes of 
GRS codes, were proposed for the McEliece PKC by Janwa-Moreno [20] . 

Example 6. If {A, B) is a pair of codes with parameters [n,t + l,n — t] and 
[n, t, n — t + 1], respectively, and C = (A* B)- 1 -, then the minimum distance of 
C is at least 2t + 1 and (^4, B) is a t-error-correcting pair for C by [HJ Corollary 
3.4]. The dimension of {A * B) is at most t(t + 1). So the dimension of C is at 
least n — t(t + 1). In Appendix A it will be shown that this is almost always 



equal to n — t(t + 1) for random choices of A and B. 

If q is considerably larger than n, then a random code is MDS. So taking random 
codes A and B of length n and dimensions t + 1 and i, respectively, gives a very 
large class of code for the McEliece PKC. However with large field the key size 
becomes larger and recall that the main obstacle for coded-based crypto systems 
was the key size. 

Example 7. If (A, B) is a pair of codes that satisfy the conditions (E.l), (E.2), 
(E.3), (E.5) and (E.6), then the minimum distance of C is at least 2t + 1 and 
(A,B) is a i-error-correcting pair for C by [HJ Corollary 3.4]. 

4 Distinguishing a code with an ECP 

Let /C be a collection of generator matrices of codes that have a i-error-correcting 
pair and that is used for a coded-based PKC system. In this section we address 
assumption A. 2 whether we can distinguish arbitrary codes from those coming 
from /C. 

Let C be a k dimensional subspace of F™ with basis gi, • • • , gfe which rep- 
resents the rows of the generator matrix G S F^ xn . We denote by S 2 (C) the 
second symmetric power of C, or equivalently the symmetrized tensor product 
of C with itself. If = gi, then S 2 (C) has basis {x^Xj 1 < i < j < n} and di- 
mension ( T ) . Furthermore we denote by (C * C) or the square of C, that 
is the linear subspace in F™ generated by {a * b|a, b e C}. See [HI §4 Definition 
6] and |29|52j . Now, following the same scheme as in [28] . we consider the linear 
map 

a:S 2 {C)— >C( 2 ), 

where the element x^Xj is mapped to g; * gj. The kernel of this map will be 
denoted by K 2 {C). Then K 2 {C) is the solution space of the following set of 
equations: 

^2 9ij9i'jX*u> =0, 1 < j < n. 

l<i<i'<k 

There is no loss of generality in assuming G to be systematic at the first k po- 
sition, making a suitable permutation of columns and applying Gaussian elim- 
ination, if necessary. Then G = (/fc Pj where Ik is the k x k identity matrix 
and P is an k x (n — k) matrix formed by the last n — k columns of G. Now 
H = ( P T — J n _fc J is a parity check matrix of C, or equivalently H is a generator 
matrix of the [n, n — k] code D = C . 

In [21 §3] and [3S1 Ch. 10] a system Cp associated to the matrix P of k 
linear equations involving the ("^ ) variables Zji, with fc + 1 < j < I < n, is 
defined as 

£p = < pijpij'Zjj, = | 1 < i < k. > 

lfc<i<j'<n I 



This system differs from the system of equations obtained for the kernel 
K 2 (C) in interchanging indices i and j and the strict inequality j < j' in the 
summation, instead of i < i' . Denote the kernel of Cp, that is the space of all 
solutions of £p, by K{Cp). 

Proposition 1. 

dim K(C P ) = dim K 2 (D) 

Proof. Let M be the ( t 1 ) x n matrix with entries {gij9i'j)i<i<i' Then a 

i<i<n~ 

basis of K 2 (C) can be read of directly as the kernel of M. Note also that the 
dimension of C*- 2 -* is equal to the rank of M. Furthermore, since is the image 
of the linear map a, by the first isomorphism theorem we get: 

dim K 2 (C) + dim C {2) = dim S 2 (C) = f * * 1 

Let hi be the i-th row of the parity check matrix H, be the i-ih vector 
in the canonical basis of F™ _fc and be the i-th row of the matrix P T . Then 
Qij =Pj,i+k and hi = (q^| - e»). Therefore 



h *h / = 1(^*^1^) if ^' = ^> 
J 3 1 (qj *qj'|o) if o <f- 



Let Mi be the k x (" 2 fc ) matrix with entries (pijPij>)i<i<k , then 

k<j<j' <n 

'n — k 



dimK(£ P )=l 2 J-rank(Mi) 
Now let M2 be the (™ x n matrix with entries (hijhi' j)i<i<j' <n-fe' Then 

l<?<n~ 

dimL> (2) = rank(M 2 ) = n-k + rank(Mi) 

Therefore 

dim^(£p) = (" 2 fc ) - rank(Mi) 



2 

= dim K 2 (D) 



n 



-fc-dim£> (2) 



The dual statement of Proposition [T] gives: dim K(£ p t) = dim K 2 (C). 
For every [n, k] code C over F g the following inequality holds: 

dimC (2) <min{n, f^ 1 )}. 

However if the entries of the matrix P are taken independently and identically 
distributed, then the inequality holds with equality with high probability what 
is actually proved in the next proposition. 



Proposition 2. Let C be an [n, k] code with n > ( j 1 ) chosen at random. Then 
Pr(dim(^L)=(^ 1 ))=l 

Proof. Let C be a linear code with parameters [n, k] over F 9 with n > ( k ^) • 
We have seen in the proof of Proposition [T] with the role of C and D = C 
interchanged that the linear system C p t associated with C consists of n — k 
linear equations and (2) unknowns. In case n — k> ( 2 ) or equivalently n > C*^ 1 ) 
Faugere et al. [H] proved that the dimension of the solution space of C p t is 
with high probability. Therefore under the same hypothesis we have that the 
dimension of C r ^ dom is (^l" 1 ) wrt h high probability. □ 

Example 8. Let C be a GRS code with parameters [n, k], take for instance C = 
GRSfc(a, b) where a is an n-tuple of mutually distinct elements of ¥ q and b is 
an n-tuple of nonzero elements of ¥ q . Then is the code GRS2fc-i(a, b * b) 
if 2k — 1 < n and otherwise. Hence dimC^ 2 -* = min{2fc — 1, n}. Therefore 

dimK 2 (C) = ^ J X ) - (2* - 1) = 2 ^ if 2fc - 1 < n - 

Example 9. Let C be a fc-dimensional subcode of the code GRS; (a, b) . Then 
C( 2 ) is a subcode of the code GRS 2i _i(a, b * b), if 21 - 1 < n. Thus 

dimC* (2) < min{2/ - l,n}. 

Moreover if Al - 3fc - 1 < q and 21 - 1 < ( k ^ 1 ) , then it was shown in [H] that C (2) 
is equal to GRS2j-i(a, b * b) with high probability so, under this hypothesis, 

Pr (dimC* (2) = 21 - = 1 - o(l). 

The dual code D = C 1 - contains the code GRS z (a, b) 1 - = GRS„_;(a, b'). That is, 
D^ 2 ' contains the square of GRS n _;(a, b') which is equal to GRS2n-2i-i(a, b' * 
b') if 2n — 21 — 1 < n, or equivalently if n < 21 + 1. Recall that the star 
product of the rows of a generator matrix of any linear code gives a generating 
set for its square code, that is the square of any [n, s] linear code is generated 
by ( s ^ 1 ) elements. In particular is generated by (™~2 +1 ) elements but since 
GRS 2 „-2i-i(a,b'*b') C D {2) there are at least ("~2 +1 ) ~(2n- 2/ + 1) dependent 
elements of this generating set. Thus 

m fn-k + l\ fn-l + l\ , fn-k + l\ fn-l-l\ 

dim ^ () n 2 )-( 2 y^-2i-i=[ 2 )-( 2 ). 

Example 10. The problem of distinguishing Goppa, alternant and random codes 
from each other was studied by Faugere et al. in [14] . Their experimental results 
give rise to a conjecture on the dimension of K{Cp) for Goppa and alternant 
codes of high rate. 



Example 11. Let C = Cl(X, P, E) where X is an algebraic curve over ¥ q of genus 
g, V is an n-tuple of mutually distinct F 9 -rational points of X and E is a divisor 
of X with disjoint support from V of degree to. Then C (2) C C L (X, V, 2E). 
Assume moreover that 2g — 2 < to < n/2. Then C has dimension k = m-\- 1 — g 
and Cl(X, V, 2E) has dimension 2m + 1 — g = k + to. Hence dim < k + m. 
Let G be a generator matrix of an algebraic geometry code C . Take the columns 
of G as homogeneous coordinates of points in P m ~f ; this gives a projective system 
Q — (Qi, ■ • • ) Qn) °f points in the projective space P" l ~ 9 (F g ). Since m > 2g there 
exists an embedding of the curve X in P m_ f of degree to 

: ^ — > P m -9 

P^-Kp E {P) = {fo(P),...,f m - g (P)) 

where {/q, . . . , f m -g} is a basis of such that Q = tp E (V) lies on the curve 

y = (Pe(X). The space ^(Q) of quadratic polynomials that vanish on Q can be 
identified with K 2 (C). Furthermore if 2g + 2 < m < |n, then 7 2 (> ? ) = ^(Q) 
and /(D''), the vanishing ideal of y, is generated by Ii{Q). Now 

dimX 2 (C) = ^2 ^ - dimC(2) ^ (2 

Therefore y is given as the intersection of at least ( 2 ) — to quadrics in P m_ s. 
For more details we refer the reader to 1281. 



Example 12. Let t(t + 1) < n. Let (A, B) be a pair of random codes of dimension 
t + 1 and t, respectively. Take C = {A* B) 1 - as in Example |U Then D = C 1 - = 
(A * B). So L>< 2 ) = (A< 2 ) * E-W). Hence 



diml? (2) < 



t + 2\ /t + 1 
2 A 2 



which is about half the expected (' 2 1 ^) in case < n by Proposition [21 

since D has dimension t(t + 1) with high probability by Appendix A. 
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A The dimension of (A * B) 

Let A and B be two linear codes over ¥ q with parameters [n,s] and [n,t], 
generated by the set {ai,...,a s } and {bi,...,b t } of vectors in F™, respec- 
tively. Let M be an st x n matrix over ¥ q whose rows consist on the vectors 
a, * b 3 = (Oj.i&j,!, . . . ,ai y nbj, n ) £ F£ with i G {1, . . . , s} and j G {l,...,t} or- 
dered lexicographically. Then the rows of M form a generating set of the code 
A* B. 

Indeed M is a block-matrix consisting of s blocks M, = (aj * b J -) 1< . <4 with 
i G {1, . . . , s} of size t X n. We define the support of a codeword c = (ci, . . . , c„) 
by supp(c) = {i | Ci ^ 0}. Note that if i ^ supp(aj) then the i-th column of Mj 
consists on zeros. 

In the following lines, assuming that st < n we will prove that M has full 
rank with high probability. We proceed by a similar procedure as in Appendix B 
of [13] where it is proved that the solution space of the linear system associated 
to an arbitrary random linear code is zero with high probability. 

Let Ei — supp(ai). Suppose \E\\ > t. Let Fi be a subset of E\ with cardinal- 
ity t. To simplify notation and without loss of generality, we can always assume 
that F\ corresponds to the first t elements in ai, by permuting the elements if 
necessary. Let MW be a square submatrix of M% formed by its first t columns, 
i.e. 

m (1) = K,M^ e f; x * 
i<i<t 

Now we define by induction Ei := supp(a,)\Fi_i and the subset Fi as the first 
t elements of the subset, assuming that \Ei\ > t. The square matrix AfW g F* x * 
is obtained from M, by taking the ^-indexed columns, for i G {1, . . . , s}. Then 
clearly the following Lemma holds. 

Lemma 1. If \Ei\ > t for all i G {1, . . . , s) then 

s 

rank(Af) > ^ rank(Af w ). 

i=l 



Lemma 2. If \Ei\ > t for all i = 1, . . . , s then 

Pr |^d(MW) > u^j < K s q^ 

where d(M^) = f - rank(M«) /or i = 1, . . . , s and K is a constant depending 
only on q. 

Proof. See [14j Lemma 5]. □ 
Lemma 3. Let m — n — (i — l)t with i = {1, . . . , s} 7 then 

Pr(|^| <t, I 1^1 >t,...,|£^_i| >t) <e~ 2 ^^ 

Proof. See [14j Lemma 6] . □ 

Theorem 1. Assume that st < n. Then for any function w(x) tending to in- 
finity as x goes to infinity we have 

Pt(D > w(t)) = o(l), 

where D = st — rank(M). 

Proof. Note that if \Ei\ > t for i G {1, . . . , s} then D < £- =1 d(AfW). 

Let 5i be the event X)i=i d(M W) > w(t) then using Lemma U we have 
that Pr(Si) = o(l). And let 5*2 be the event of having at least one Ei with 
i G {l,...,s} such that \Ei\ < t. Then the probability of the complement of 
event S 2 is given by 

Pr(S5) =Pr( f||^| >t \ =f[Pr(\E 1 \>t,...,\E i \>t) = l-o(l) 

\i=l / i=l 

by Lemma [3l 

Then we deduce that the sought probability is 

Pr (D > w(t)) < Pr (Si U S 2 ) < Pr (Si) + Pr (S 2 ) = o(l). 

□ 



